1
00:00:12,020 --> 00:00:14,940
Hi and welcome back to another episode on How to Hack.

2
00:00:15,440 --> 00:00:21,980
So over here, I have mutability running and mutability is a vulnerable Web application server for us

3
00:00:21,980 --> 00:00:24,410
to learn about Web application penetration testing.

4
00:00:24,980 --> 00:00:31,370
So on the left side, you can see, oh, WSP Top 10, Open Web Application Security Project, top 10

5
00:00:31,640 --> 00:00:32,740
vulnerabilities.

6
00:00:32,750 --> 00:00:39,050
So these are vulnerabilities that could be inherent in Web application servers that are commonly found

7
00:00:39,050 --> 00:00:40,010
vulnerabilities.

8
00:00:40,550 --> 00:00:45,620
So over here, we can look at injection, SQL injection, XHTML injection.

9
00:00:45,980 --> 00:00:48,640
We can look at broken authentication, recession management.

10
00:00:48,650 --> 00:00:54,920
So we'll be covering a lot of all these Web application vulnerabilities over the next few tutorials

11
00:00:54,920 --> 00:01:00,830
to learn more about how penetration testing is being conducted against all these different Web application

12
00:01:00,830 --> 00:01:01,400
service.

13
00:01:02,090 --> 00:01:06,410
So another thing I want to highlight to you is about the use of a tool.

14
00:01:06,410 --> 00:01:08,440
And this tool is what we call Zet proxy.

15
00:01:08,810 --> 00:01:15,080
So all I got to do is enter ZET Proxy and we can kick start this open web application security project

16
00:01:15,080 --> 00:01:15,590
zap.

17
00:01:15,590 --> 00:01:21,650
So it'll allow us the ability to scan the sites, automatically define vulnerabilities.

18
00:01:21,920 --> 00:01:27,920
So it is a automated scanner and at the same time it will also show us the kind of payloads that are

19
00:01:27,920 --> 00:01:33,650
being injected into the site so that we can also learn and educate ourselves about how all this has

20
00:01:33,650 --> 00:01:34,150
come about.

21
00:01:34,580 --> 00:01:40,220
And of course, we can also think about customizing the payloads, changing the variables of the payload

22
00:01:40,220 --> 00:01:41,120
in our attacks.

23
00:01:41,510 --> 00:01:44,690
So in this case, we can not proceed at this moment in time.

24
00:01:44,690 --> 00:01:50,240
QuickStart and we have this particular QuickStart page called Automated Scan.

25
00:01:50,250 --> 00:01:52,100
So this help us run the automated attack.

26
00:01:52,400 --> 00:01:56,730
But I want to highlight a little more about the graphical user interface of a subset.

27
00:01:56,990 --> 00:02:02,140
So over here, we have on top side, we have all this taps, so we have to sashayed management.

28
00:02:02,330 --> 00:02:06,230
So this session depends on the number of sessions and scanning.

29
00:02:06,230 --> 00:02:12,230
You're running for different websites and we have the added moat we have to view.

30
00:02:12,270 --> 00:02:12,630
All right.

31
00:02:12,650 --> 00:02:18,140
And we have the analyzer to scan policy manager so we can go in and click on that so we can actually

32
00:02:18,140 --> 00:02:21,350
look at the modification of the scan policy.

33
00:02:21,350 --> 00:02:26,480
And all the scan policies can also be managed as part of running a website.

34
00:02:26,870 --> 00:02:33,800
And a great thing is that help us generate reports like HTML, XML Report, Mokhtari Port and so on.

35
00:02:34,130 --> 00:02:40,250
So this makes it particularly useful if you have to report to management, if you have to report the

36
00:02:40,250 --> 00:02:43,820
findings to different people, different stakeholders.

37
00:02:44,270 --> 00:02:46,220
And we have all these different tools as well.

38
00:02:46,220 --> 00:02:53,330
And all those tools can be highly useful in helping us run different kind of policy checks so we can

39
00:02:53,330 --> 00:02:54,290
click on our options.

40
00:02:54,590 --> 00:03:02,540
So we have the scanning options and we have all these different rules searching and most importantly

41
00:03:02,960 --> 00:03:05,300
is to actually look at to local proxies.

42
00:03:05,300 --> 00:03:06,590
So on don't look at proxies.

43
00:03:07,010 --> 00:03:10,240
We have local hosts and we have to put number eight 080.

44
00:03:10,940 --> 00:03:17,990
So this is really helpful for us to point our target system of choice.

45
00:03:18,140 --> 00:03:23,210
And of course, also, depending on a browser, we can also select specifically to kind of browser we

46
00:03:23,210 --> 00:03:24,730
want to target against the system.

47
00:03:25,310 --> 00:03:28,940
So moving forward, we can actually go ahead and run it all the way to scan.

48
00:03:30,020 --> 00:03:33,840
So all we can do is specify the URL and we can actually launch the attack from here.

49
00:03:34,220 --> 00:03:43,400
So in my case, I can enter one or two one six eight zero dot two on two, which is the Web application

50
00:03:43,400 --> 00:03:44,990
server running multiple today.

51
00:03:45,290 --> 00:03:54,380
So I can just push me until the day and all I got to do is run an attack and then again begin launching

52
00:03:54,380 --> 00:03:56,570
an initializing the attack against the system.

53
00:03:56,930 --> 00:03:58,580
So all we can do is go back here.

54
00:03:58,610 --> 00:04:04,640
So we got one or two, one six eight zero two one to slash my utility slash and we can go in and click

55
00:04:04,640 --> 00:04:05,150
on attack.

56
00:04:05,630 --> 00:04:08,930
So immediately the automated attack would take a while.

57
00:04:08,930 --> 00:04:15,480
So we are spidering across the entire site finding all the links and pages so we can go after.

58
00:04:15,800 --> 00:04:20,750
So once we complete a spidering OK, what we can do next is to run the active scan.

59
00:04:20,750 --> 00:04:24,860
Again, it is page to see whether there are any vulnerabilities.

60
00:04:25,100 --> 00:04:31,050
And a great thing is that for a site like mutability, it could take up to five 10 minutes for a scan

61
00:04:31,050 --> 00:04:31,670
to complete.

62
00:04:32,210 --> 00:04:36,350
And while the scan is happening, we can actually click under alerts.

63
00:04:36,620 --> 00:04:42,800
So when I click on alerts, we can actually see the different kind of payloads attack as well as findings.

64
00:04:43,160 --> 00:04:49,730
So, for example, over here we have path to vessel and we can actually double click on it and expand

65
00:04:49,730 --> 00:04:53,830
further and look at a Psystar being affected or being impacted by this attack.

66
00:04:54,500 --> 00:04:59,270
So, for example, over here we have all this different payload, Sture being sent into the site so

67
00:04:59,270 --> 00:05:04,460
I can double click on it and I can actually look at a new URL and I can copy the URL.

68
00:05:04,940 --> 00:05:09,320
I can go back into the browser and open up a browser.

69
00:05:09,880 --> 00:05:15,640
And I can open up a tab and I can hit enter on this and look at our findings directly from here so we

70
00:05:15,640 --> 00:05:21,360
can look at the findings and of course, immediately we are able to extract this particular fall.

71
00:05:21,610 --> 00:05:30,100
So this poll is ETSI plus W.T. So this would actually lucedale all the user accounts inside the server.

72
00:05:30,100 --> 00:05:34,870
So immediately we can find Root, we can find Dayman, we can find Bin, we can find all these different

73
00:05:34,870 --> 00:05:39,700
accounts that are actually in site, the Linux system.

74
00:05:39,710 --> 00:05:42,860
So this is in a way, an operating system command.

75
00:05:42,880 --> 00:05:45,910
It allows us to see all this different information, true.

76
00:05:45,910 --> 00:05:48,530
Deep after vessel, and we can also change it.

77
00:05:48,880 --> 00:05:49,130
All right.

78
00:05:49,180 --> 00:05:51,890
So instead of possibly, can we change it to something else?

79
00:05:52,180 --> 00:05:56,850
So this is the part where we are looking at trying to find out all these different data.

80
00:05:57,010 --> 00:06:00,280
So, of course, can we find Etsi Shadow?

81
00:06:00,310 --> 00:06:02,680
Are we able to find those data sources?

82
00:06:02,680 --> 00:06:03,940
Permission denied.

83
00:06:04,350 --> 00:06:10,510
OK, so again, we are trying to find all this different data directly from the system to help us find

84
00:06:10,510 --> 00:06:12,940
out more details, more information.

85
00:06:12,940 --> 00:06:14,410
Can we try to find a home?

86
00:06:14,950 --> 00:06:15,310
All right.

87
00:06:15,320 --> 00:06:22,180
So again, we are trying to find all this different information, which is why the use of Linux commands

88
00:06:22,180 --> 00:06:26,890
are very, very important, because if we understand how Linux commands work, we will have the ability

89
00:06:26,890 --> 00:06:33,100
to try to find more information about a site while the observer is actually doing all this, finding

90
00:06:33,160 --> 00:06:35,810
all these different attacks directly against the system.

91
00:06:36,350 --> 00:06:39,080
OK, so let's go back into the findings.

92
00:06:39,130 --> 00:06:41,260
So here we have puft vessel.

93
00:06:41,770 --> 00:06:43,690
We have removed file inclusion.

94
00:06:43,750 --> 00:06:51,610
OK, so again, this means that the site actually a lot of sites to be included into these pages, which

95
00:06:51,610 --> 00:06:57,040
is means that the hackers could actually try to do a defacement and they could actually insert your

96
00:06:57,040 --> 00:06:59,110
own pages into the site.

97
00:06:59,500 --> 00:07:04,030
So over here, for example, we have payload and we have these particular you URL.

98
00:07:04,030 --> 00:07:10,390
Again, I can copy this information and I can actually paste it again into the Eurail of your browser

99
00:07:10,390 --> 00:07:11,410
and hit enter on debt.

100
00:07:11,770 --> 00:07:14,640
And immediately we see a Google search information from here.

101
00:07:14,980 --> 00:07:18,510
So we were able to abate something into this site immediately.

102
00:07:19,000 --> 00:07:22,810
And of course, what the hackers would do is that they would give a legitimate link.

103
00:07:23,260 --> 00:07:23,500
Right.

104
00:07:23,500 --> 00:07:30,690
That represents this particular site and it is being sent over into the victim's computer as a URL.

105
00:07:30,700 --> 00:07:37,180
So, for example, I can change Google dot com if we can change it to my site, Loy Yang dot com and

106
00:07:37,180 --> 00:07:38,380
see whether it floats.

107
00:07:38,900 --> 00:07:44,050
So this is, again, a way for us to test using different kind of variables to see whether we are able

108
00:07:44,050 --> 00:07:45,670
to access to different sites.

109
00:07:46,180 --> 00:07:49,360
OK, so again, we are trying to test out all this different systems.

110
00:07:49,360 --> 00:07:51,550
Can we try Gmail dot com, for example?

111
00:07:51,790 --> 00:07:55,680
But we do get the same result, but we do get different information.

112
00:07:56,020 --> 00:07:59,250
So likewise, the same thing is being shown over here.

113
00:07:59,470 --> 00:08:06,430
So the hackers are able to meet this kind of pages, this kind of different sites into the link and

114
00:08:06,430 --> 00:08:11,170
be able to change up the variables, especially from the different payload stuff being sent directly

115
00:08:11,170 --> 00:08:17,320
from all upset that will actually allow the hackers to change up a little more, a man a little more

116
00:08:17,620 --> 00:08:19,870
about how they want to launch all these different attacks.

117
00:08:20,470 --> 00:08:25,990
So, like, likewise, we can see SQL injection, we can see cross site scripting, OK, so we are able

118
00:08:25,990 --> 00:08:30,790
to see all this different data and we can go back into the active scan result.

119
00:08:30,790 --> 00:08:32,560
So we are at fifty one percent done.

120
00:08:32,950 --> 00:08:39,460
So we can understand directly from here what are the pages that are actually subjected to different

121
00:08:39,460 --> 00:08:43,400
kind of SQL injection, do cross scripting and we can try to launch our attack from there.

122
00:08:43,870 --> 00:08:49,810
So the great thing of course is that when we go back into this site, we can actually reset the database,

123
00:08:49,810 --> 00:08:55,750
especially when you put in so much different kind of payloads into the site that could actually corrupt

124
00:08:55,750 --> 00:08:56,520
the database.

125
00:08:56,830 --> 00:09:02,410
So a lot of times when we are doing all these different attacks, we want to make sure that we can ascertain

126
00:09:02,980 --> 00:09:04,480
how the site is performing.

127
00:09:04,750 --> 00:09:09,850
And of course, when you're doing an actual penetration testing, a lot of times you'll be targeting

128
00:09:10,210 --> 00:09:13,920
these environments that are actually making the production service.

129
00:09:14,110 --> 00:09:20,470
So that is also another point that you want to highlight when you're doing your Web application penetration

130
00:09:20,470 --> 00:09:20,960
testing.

131
00:09:21,490 --> 00:09:21,790
All right.

132
00:09:21,800 --> 00:09:27,190
So with that, let me know, what are the findings that you can get from your all upset against a target

133
00:09:27,190 --> 00:09:27,760
systems?

134
00:09:28,120 --> 00:09:33,040
And if you like what you've just watch remotely like and subscribe to channel so that you can be kept

135
00:09:33,040 --> 00:09:35,080
abreast of the latest cyber security target.

136
00:09:35,230 --> 00:09:36,700
Thank you so much once again for watching.